SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#823971

Microsoft Internet Explorer contains a Channel Definition Format (CDF) cross-domain vulnerability

Overview

Microsoft Internet Explorer contains a vulnerability that may allow unintended information disclosure or remote code execution due to a flaw in handling Channel Definition Format (CDF) files.

I. Description

From the Microsoft Channel Definition Format description:

    Channel Definition Format (CDF) files can be used to organize a set of related Web pages into a logical hierarchy. A channel is a Web site described by a Channel Definition Format (CDF) file. The CDF file defines a hierarchy of the pages that are included in the channel. Besides defining the resources in the channel, the CDF file also specifies how each item will be used or displayed, and when the channel should be updated. For more information about CDF files, see the product documentation.

An attacker may be able to exploit the flaw in CDF file handling to execute code in the Local Machine Zone.

II. Impact

A remote attacker may be able to execute arbitrary code or access otherwise restricted information by crafting a malicious web page, then convincing a user to visit it by clicking on a link or email. The code would execute with the privileges of the user running Internet Explorer.

III. Solution

Apply an update

Microsoft Windows users should use Windows Update to automatically obtain the correct fixes, or apply the relevant patches outlined in Microsoft Security Bulletin MS05-014, described in Microsoft Knowledge Base Article 867282.

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 includes a feature called Local Machine Zone Lockdown, as well as other improvements. The Local Machine Zone Lockdown prevents Internet Explorer and several other programs from evaluating script in the Local Machine Zone. While this does not remove the vulnerability, it does help prevent an attacker from executing script in the Local Machine Zone.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable8-Feb-2005

References


http://www.microsoft.com/technet/security/Bulletin/MS05-014.mspx
http://www.cert.org/advisories/CA-2000-02.html#impact
http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56
http://support.microsoft.com/?kbid=833633
http://support.microsoft.com/?kbid=315933
http://support.microsoft.com/?kbid=240797

Credit

Thanks to the Microsoft Corporation for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.

Other Information

Date Public02/08/2005
Date First Published02/08/2005 06:42:02 PM
Date Last Updated02/09/2005
CERT Advisory 
CVE-ID(s)CAN-2005-0056
NVD-ID(s)CAN-2005-0056
US-CERT Technical Alerts 
Metric21.00
Document Revision12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader